title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
    In order to dump the process memory or perform other nefarious actions.
references:
    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
    - https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tasklist.exe'
        - OriginalFileName: 'tasklist.exe'
    selection_flags:
        CommandLine|contains|windash: '-m'
    selection_module:
        # Note: add other interesting modules or binaries
        CommandLine|contains: 'rdpcorets.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
    This detection focuses on the keywords that the attacker might use as a filter.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            # Note: Add additional keywords to increase and enhance coverage
            # Note:
            #   We use the double quote variation because in cases of where the command is executed through cmd for example:
            #       cmd /c "tasklist | findstr virus"
            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
            - ' avira'
            - ' avira"'
            - ' cb'
            - ' cb"'
            - ' cylance'
            - ' cylance"'
            - ' defender'
            - ' defender"'
            - ' kaspersky'
            - ' kaspersky"'
            - ' kes'
            - ' kes"'
            - ' mc'
            - ' mc"'
            - ' sec'
            - ' sec"'
            - ' sentinel'
            - ' sentinel"'
            - ' symantec'
            - ' symantec"'
            - ' virus'
            - ' virus"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
    - type: atomic-red-team
      name: Security Software Discovery
      technique: T1518.001
      atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2